ISO 27001

Documentation Shelter from the Storm

Simplified

Checklist & Guide

Documenting is a vital part of implementing ISO 27001:2013.

This guide will take you through the mandated documentation
required to achieve certification to the standard. Additionally, it
provides helpful advice to consider when creating, structuring
and deploying documents.

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
The Breakdown
ISO 27001:2013 is broken down into two key areas: the 4-10 clauses, which define the
governance aspects, and the Annex A controls which, when implemented, will define how you
manage risk. Clauses 4 to 10 are a mandatory part of your Information Security Management
System (ISMS), you will also need the appropriate supporting documents and records. The Annex
A controls are optional (although most will apply), you will need the appropriate policies and the
evidence that the controls selected are effective.

Information Security Managers need to understand how the standard is structured and how the
clauses and controls are organised. With each clause and subclause, there are a set of guidelines
to be followed to achieve compliance. It is important to be attentive to the requirements in terms
of processes, activities and documents.

This checklist is designed to be used as a benchmarking tool to enable you to understand how
close (or far) your current suite of documents aligns with ISO 27001. It’s also helpful for
conducting a gap analysis, responding to customer security questionnaires, or conducting
management reviews of your ISMS.

The Required ISO 27001 Documents

If your company is intending to gain ISO 27001 certification, these are the required processes,
documents, and policies that need to be included or created to deliver a compliant system.

Operational documents to be used by the security team and key risk stakeholders include:

Clause Required Documents

4.2 List/Description of Interested Parties

4.3 The Scope of the ISMS

5.1 Leadership, Evidence of Management Commitment

5.2 Information Security Policy

5.3 Roles and Responsibilities

6.1.2 Information Security Risk Assessment Process

6.1.3 Information Security Risk Treatment Plan

The Statement of Applicability

6.1.3

6.2 Information Security Objectives

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
 7.2 Evidence of Competence

5.5.1 Documented Information Determined as Being Necessary for the Effectiveness of the ISMS

8.1 Operational Planning and Control

8.2 Results of the Information Security Risk Assessment

8.3 Results of the Information Security Risk Treatment

9.1 Evidence of the Monitoring and Measurement Of Results

9.2 A Documented Internal Audit Process

9.2 Evidence of the Audit Programmes and the Audit Results

9.3 Evidence of the Results of Management Reviews

10.1 Evidence of the Nature of the Non-Conformities and Any Subsequent Actions Taken

10.1 Evidence of the Results of Any Corrective Actions

The Policies
In addition, the following policy documents should be in place. Each policy applies to either all
staff or specific functions, i.e. IT, HR, Facilities etc.

Clause Policy

A.5.1.1 Information Security Policies

A.7.1.2 Terms and Conditions of Employment

A.6.1.3 Contact with Authorities

A.6.1.5 Infosec in Projects

A.7.2.1 Management Responsibilities

A.7.2.2 Security Awareness and Training

A.7.2.3 Disciplinary Process

A.7.3.1 Termination Process

A.8.1.3 Acceptable Use

A.8.2.1 Information Classification

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
 A.8.3.1 Media Management

A.9.1.1 Access Control Policy

A.9.2.1 User Registration

A.9.2.3 Privileged User Management

A.9.2.4 Password Management

A.9.2.5 Access Rights Reviews

A.9.4.1 Information Access Restriction

A.11.1.1 Physical Perimeter

A.11.2.1 Equipment

A.11.2.5 Removal of Assets

A.11.2.7 Secure Disposal and Re-Use

A.11.2.9 Clear Desks and Screens

A.12.1.1 Operating Procedures

A.12.2.1 Antivirus

A.12.3.1 Backups

A.12.6.1 Technical Vulnerability Management

A.13.1.1 Network Security

A.13.2.1 Information Exchange

A.14.1.1 System Security Requirements

A.14.2.2 Change Control

A.15.1.1 Supplier Security

A.16.1.1 Incident Management Responsibilities

A.17.1.1 Planning Infosec Continuity

A.18.1.1 Identifying Compliance Obligations

A.18.2.1 Information Security Reviews

Additional policies or supporting procedures may be required depending on the activities.

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
Organisation. For example, if you are a software developer you would be expected to have a
comprehensive documented Software Development Life Cycle (SDLC) procedure.

Records are another important consideration. The operational procedures and policies will need
to generate a variety of outputs to demonstrate that they are working and delivering security
and business benefits.

Tips for Creating, Structuring and Deploying

The lists provided may look like an awful lot of bureaucratic documentation. Risk Crew
advises…to be realistic about the volume of documentation that you reasonably need to create,
use, manage and maintain. It’s best practice to keep documents and policies down to the
minimum at the beginning, as you can always expand to add more later – as your ISMS matures.

Additional Recommendations

1. Keep policies as simple as possible so that staff can understand and follow them. Each
policy should have a succinct:
• Policy Statement – This should simply state within ‘what we need to do’
• Policy Objective – Will concisely explain ‘why we need to do it’

2. Create an easy to navigate document hierarchy. For small/medium organisations, Risk Crew
recommends the following:
• ISMS Manual – Containing all operational processes/requirements
• Risk Assessment Spreadsheet – Containing the Asset Inventory, Risk Assessment,
Risk Treatment Plan and Statement of Applicability
• Acceptable Use Policy – Containing all policies that apply to all staff
• IT Security Policy – Containing all policies applicable to the IT Department
• HR Security Policy – Containing all policies applicable to the HR Department
• Information Security Manager Policy – Containing all policies applicable to the
management of security

3. If you adopt the above hierarchy method…that will cover all your mandated policies and
procedures covered within six documents. Here are more tips to keep in mind:
• Writing Techniques – Policies should be written to align with the culture of the
company. Try to avoid making them too academic or technical. Give specific
company examples to help bring them to life.
• Communication – You now have developed a fully compliant suite of security
policies…great. But they are virtually worthless if they are not communicated
to staff.
• Enforcement – You now need to ensure that staff are adhering to the policies.
One method to consider is appointing departmental ‘policy champions’ whose
role is to monitor and educate staff within their area.

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
How Risk Crew Can Help
Writing and assembling the required documentation can be a gruelling task but it doesn’t have
to be. Risk Crew consultants can support you with all your ISO 27001 requirements to help you
achieve certification. Risk Crew has been delivering ISO consultancy services for over 30
combined years. Our experts are working practitioners that use their knowledge to accelerate
your compliance with the standard.

ISO 27001 Compliance Services

Four services are available – providing you with flexible options to get ISO 27001 working for
your organisation. You get the exact amount of expertise and assistance you need to help you
meet your compliance objectives. Nothing more, nothing less.

Risk Crew also provides Security Penetration Testing, we can be your partner in helping you gain
ISO compliance and help you stay compliant.

All services are delivered under our 100% satisfaction guarantee.

ISO 27001 Resources

Whether you are just starting your ISO 27001 compliance project or if you're looking to learn
more, you're in the right place! Choose from Risk Crew’s complimentary resources and tools.

ISO 27001 Readiness 1-2-1 Complimentary ISO 27001 Service

Assessment Discovery Session Overview Brochure

Learn what additional Get a mini-gap Find out how Risk Crew
steps it would take for assessment and advice can help your
your organisation to from an ISO 27001 organisation achieve
reach compliance with expert. Schedule a call or compliance. Choose
this online tool. online meeting today. from 4 service options to
meet your needs.

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
 Let our experts help you
stay achieve & accelerate
your ISO 27001 Certification.

Shelter from
the Storm
Contact us for more information

5 Maltings Place information@riskcrew.com

169 Tower Bridge Road +44 (0) 20 3653 1234
London SE1 3JB riskcrew.com
United Kingdom

©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822
©2022. All rights reserved. Risk Crew is a trading name of Risk Factory Limited is registered in England and Wales. ISOGU240822